# Build a Secure EUDI Wallet Relying Party

The digital identity landscape in Europe is undergoing its most significant shift in a decade. With the entry into force of Regulation (EU) 2024/1183 (eIDAS 2.0), every EU Member State is now mandated to offer at least one European Digital Identity Wallet (EUDIW) to its citizens. From the moment those wallets go live, any app or website that wants to accept identity attributes from them automatically becomes a Relying Party (RP) under the EUDI Architecture Reference Framework (ARF).

<figure><img src="/files/b5hml4xaxAbNme7cTCDR" alt=""><figcaption></figcaption></figure>

This article serves as the essential starting point for a comprehensive, multi-part series designed specifically to help CTOs, architects, and mobile developers secure the entire EUDI Relying Party infrastructure.

Here, in Article 1, we will break down the regulatory changes and expose the mobile threat surface nobody warned you about—the blind spot the specifications don't cover, making runtime device security entirely your problem to solve.

{% hint style="info" %}
This multi-part series is built for CTOs, architects, and mobile developers. We break down the regulatory clock, the architectural shifts, and the hands-on implementation details required to close the mobile security gap.

**Explore the complete series:**

* **Part 1:** [Build a Secure EUDI Wallet Relying Party](/appsec-articles/articles/build-a-secure-eudi-wallet-relying-party.md) An overview of the new eIDAS 2.0 landscape, the mobile threat surface nobody warned you about, and how to map regulatory obligations to your security stack.
* **Part 2:** [EUDI Wallet Integration: A CTO's Decision Guide](/appsec-articles/articles/eudi-wallet-integration-a-ctos-decision-guide.md) A strategic roadmap covering implementation timelines, the shift from real-time IdP callbacks to offline verification, and the privacy requirements your DPO needs you to know.
* **Part 3:** [Secure EUDI Wallet Integration for Mobile Developers](/appsec-articles/articles/eudi-developer-guide-secure-eudi-wallet-integration-for-mobile-developers-arf-dcql-2026-2027.md) A hands-on implementation guide for securing the OpenID4VP flow, writing GDPR-compliant DCQL queries, and setting up robust backend verification gates.
* **Part 4:** [App Attestation for EUDI Relying Parties](/appsec-articles/articles/eudi-app-attestation-choices-appicrypt-vs.-google-play-integrity-and-apple-app-attest.md) A deep dive into platform attestation: AppiCrypt, Google Play Integrity and Apple App Attest , and how to build a resilient, cross-platform attestation strategy.

*Disclaimer for full transparency: This article utilizes Talsec technology. We know we aren't the only vendor in the mobile security space. But we are the one running on 2,000,000,000 devices. We’ve protected more apps than there are cars on Earth. It's safe to say we know what we're doing.*
{% endhint %}

### What's actually changing

**Regulation (EU) 2024/1183,** the revised eIDAS (eIDAS 2.0), entered in force on **20 May 2024**. Every EU Member State must offer at least one **European Digital Identity Wallet (EUDIW)** to its citizens. From the moment a national wallet goes live, **any app or website that wants to accept identity attributes from it becomes a Relying Party (RP)** under the **EUDI Architecture Reference Framework (ARF)**.

**If your app:**

* Onboards customers (KYC),
* Gates content by age, residence, profession, or qualification,
* Signs contracts or accepts qualified electronic signatures,
* Replaces username/password with **wallet-based login**,

…then you are a **Relying Party**. And RPs carry **statutory security obligations**.

### The mobile threat surface nobody warned you about

EUDIW presentations happen **on a smartphone**. That smartphone is also where:

* The user's **wallet app** lives (and can be cloned, repackaged, or shimmed).
* Your **RP app** lives (and can be reverse-engineered, hooked with Frida, and run on an emulator).
* **Malware** can read screens, intercept NFC signals, or screen-share to a remote operator.
* **Social engineering** can drive a real user to present credentials to a fake RP.

The eIDAS 2.0 implementing acts and the ARF push hard on the **wallet side** assurance. But the **RP side** is just as exposed, and largely **your problem to solve**.

### What Talsec offers you

| Prove your RP app is genuine and untampered before accepting a presentation             | [**AppiCrypt®**](broken://spaces/0rV9CjlZFpEZihtiXi18/pages/6WNJauxpyif84anCc554)**,** cross-platform app attestation |
| --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| Detect rooted/jailbroken devices, debuggers, hooking frameworks, emulators              | [**RASP+** ](https://docs.talsec.app/premium-products/product/rasp)                                                   |
| Detect known malware on the device interacting with your app                            | [**Malware Detection** ](https://docs.talsec.app/premium-products/product/malware-detection)                          |
| Detect screen overlays, accessibility abuse, and screen mirroring during a presentation | **RASP+**                                                                                                             |
| Bind the user, the device, and your RP app cryptographically                            | **UserDevice Binding**                                                                                                |
| Defend against social-engineering / remote-control attacks during the OpenID4VP flow    | <p><strong>RASP+</strong></p><p> </p><p> </p>                                                                         |

Proceed to the next article in this series, ["EUDI Wallet Integration: A CTO's Decision Guide,"](/appsec-articles/articles/eudi-wallet-integration-a-ctos-decision-guide.md) to establish your strategic roadmap and understand the critical architectural shifts needed to ship securely.

*written by Majid Hajian*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.talsec.app/appsec-articles/articles/build-a-secure-eudi-wallet-relying-party.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.